When laptops 'walk away,' company secrets go, too

[InfoSec News <isn () C4I ORG>]

http://www.usatoday.com/life/cyber/tech/2001-03-13-walking-laptops.htm

By Salina Khan
USA TODAY
03/13/2001

Companies are discovering that a traveler's stolen laptop is more than
an inconvenience it's a dangerous security risk.

Security experts say most companies aren't doing enough to protect
laptops and the data stored on them against theft. About 70% of
companies don't have policies on security and the use of laptops while
traveling, according to an informal October survey by TechRepublic, an
online site for information technology professionals.

"A lot of people don't create a laptop policy until they have a laptop
walk out the door," says Bob Artner, TechRepublic's vice president of
content development.

The costs can be large. The number of laptops reported lost or stolen
rose more than 20% last year to 387,000, according to Safeware, The
Insurance Agency. Assuming an average cost of $2,000 on the low side
for a good laptop that puts the replacement cost at close to $775
million.

A company with 10,000 mobile workers spends $7 million a year on lost,
missing or broken laptops, according to the Meta Group in Stamford,
Conn.

Harder to measure and more troublesome is the loss of corporate
secrets and other sensitive information that may have fallen into the
wrong hands.

"I know of some (thefts of executives' laptops) that would make your
blood curdle, especially if you were investing in their companies,"
says Ravi Hariprasad, CEO of Lucira Technologies, a laptop security
software provider in Boston.

Qualcomm CEO Irwin Jacobs has not recovered his IBM ThinkPad, 6 months
after it was stolen from the stage of a meeting room where he was
addressing a journalists' conference.

According to press reports at the time, the laptop was stocked with
confidential information. Qualcomm would not comment for this article
on its laptop security policy before or since the incident.

Security experts say the value of information that's being stored on
laptops from documents and e-mails to direct links into corporate
computer networks is underappreciated.

Security breeches often occur because companies do not enforce the
laptop security policies that they have, says Julie Lucas, director of
infrastructure technology at GlobalNetwork Technology Services in
Boston.

"They'd rather put their head in the sand like an ostrich and think
it's never going to happen to them," Lucas says.

Cooley Godward, a law firm in Palo Alto, Calif., says it didn't
regularly follow its laptop security procedures until an employee was
caught stealing 200 laptops several years ago. Security has become a
higher priority for the company since then. Cooley Godward now
recommends employees use cables to lock their laptops to their desks.
It records the serial numbers of laptops before issuing them, and the
firm holds brown bag lunches with employees to discuss security
issues. It is considering requiring employees to periodically change
the passwords for their laptops.

"We are strictly adhering to procedures that were then in place that
are adding tighter guidelines," says Cooley Godward spokesman Patrick
Bustamante.

To protect against theft, companies should "have a culture of highly
valuing information," suggests Kevin Coleman, a partner in KPMG's
Information Risk Management practice. He says companies should create
a hierarchy of data and prohibit employees from saving more sensitive
information on their laptops.

"If organizations don't have a classification system, it's difficult
for employees to know what data is important and what is not," Coleman
says.

He recommends companies also conduct routine inventories and have
their technology departments scan information stored on laptops to
determine if they have sensitive information on them.

Companies increasingly are making use of technological tools to help
keep laptops safe. From 25% to 35% of companies are using hardware or
software devices to protect their mobile devices, but in an "irregular
and haphazard way," according to the Meta Group. Nearly three-quarters
of companies are expected to improve their management of laptops and
information stored on them by 2004.

Among the steps being taken:

* Encryption. Cooley Godward is considering installing software that
  would make sensitive documents stored on laptops unreadable to
  anyone without a correct password. Bill Spernow of Gartner in
  Stamford, Conn., says encryption software is gaining popularity but
  sometimes makes it difficult for company administrators to open and
  read the encrypted documents.

* Virtual Private Networks (VPNs). More companies allow their
  employees to access their main computer system from laptops using
  an Internet connection. To protect data and passwords from being
  stolen during transmission, companies are installing VPNs. They let
  a company's employees work as if they're in private areas of the
  Internet where other Internet users should not be able to enter.

The IDC of Framingham, Mass., estimates companies will spend $5
billion on VPNs in 2003, up from $700 million in 1999.

* Laptop locators. Lucira Technologies is one company that offers
  software to track stolen laptops once they have been used to connect
  to the Internet. Lucira's software forces the laptop's modem to dial
  to Lucira's office. The company can find the location of the laptop
  by matching the phone number being used with its database of phone
  numbers, addresses and maps. It will notify local law enforcement
  officials if asked.

Lucira is introducing software this year that will also let its users
destroy or retrieve information stored on stolen laptops once the
thief connects to the Internet.

While security tools are gaining in popularity, experts say they are
useless without appropriate employee training and awareness.

That's why laptop security provider PentaSafe Security Technologies in
Houston introduced software in December that monitors whether an
employee has read security updates in e-mail or on intranets and
quizzes their security knowledge.

"You need to provide education like you did about sexual harassment in
the '80s," says Steve Kahan, executive vice president at PentaSafe.
"The people side of security is the missing link that is now getting
attention."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".